Is the Firefox honeymoon over?

[Steve]

George Ou writes, in his ZDNet blog:

Last week's premature disclosure of a zero-day Firefox exploit came a few weeks after a zero-day exploit for Internet Explorer appeared on the Internet. Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months.

...the facade that Firefox is the cure to the Internet Explorer security blues is quickly fading. It just goes to prove that any popular software worth hacking that has security vulnerabilities will eventually have to deal with live working exploits. Firefox mostly managed to stay under the radar from hackers before April of 2005. Since that time, new exploits are being released almost on a monthly basis.

What George fails to investigate is whether the open-source nature of Firefox accelerates the vulnerability discovery process when compared to Internet Explorer. He also doesn't make any mention of the time between discovery and fix availability.

That's not to say I'm defending Firefox here. It has grown in popularity so it is going to be a hacker target. A piece of software without bugs doesn't exist, however, so it's all about how you deal with them. Do Microsoft or the Mozilla Corporation deal with them better? That I cannot answer.

[dangel]

Symantec seem to have the same idea:

http://www.theregister.co.uk/2005/09...threat_report/


Is it suprising that minority products like OSX and Firefox might be just as vunerable to security flaws? Not really. I quite agree with the idea that a product's popularity dictates how much of a target it is. Sure MS have introduced vunerabilities in their rush to get functionality into product, but most of this has now been tightened up now and i'd be surprised if they're really any worse off technologically than the competition now. The truth is that MS are just as focused on security (if not more so) than anyone else post SP2, and probably have more resources than anyone else to throw at it.

We live in a _very_ strange world now - MS products appear to be pretty secure and darn stable. I'd never thought i'd see it

[nev_payne]

I have to admit however, the speed at which a problem is addressed is far quicker than what I've seen form Microsoft. It may well be that FF tackles each problem as it occurs - MS however goes for groups of them.

[Zak33]

Open Source scares some people, others like the idea of external solutions coming to market quickly.

I'm open to both side. But Mozilla still carries the candle for me.

[[GSV]Trig]

I prefer the feel of Firefox over IE, I still use IE for windows update and for a few badly coded pages..

IMHO IE will bounce back tho, MS wont just sit on there hands and let people shift browsers, they'll come back with the features that FF has and a few other bits and bobs and people in time will shift back so even if FF dies it'll still be a good thing as it'll improve what comes from MS after it...

[Stoo]

FF forever!

TBH we knew this would happen, as the platform became more popular, and the fact that the code is open source makes it a lot easier to discover bugs and vulns, and of course, it makes things a lot quicker to patch..

Maybe once MS start to obey open standards, rather than trying to push their own on everyone I might look at IE again, but I'm not holding my breath..

[quarkslot]

All the more interesting now that Opera has removed the license fee and adverts from its browser, I might be wrong (I'm sure someone will let me know if I am) but Opera is a stable and relatively secure product when compared with IE and Firefox.

[dangel]

All the more interesting now that Opera has removed the license fee and adverts from its browser, I might be wrong (I'm sure someone will let me know if I am) but Opera is a stable and relatively secure product when compared with IE and Firefox.

The point is that anythings secure, so long as people aren't hacking it. What's the metric for security anyway? Lack of popularity = more secure?

I'm an Opera fan, but not just for security via obscurity.

[peterb]

Opera has its share of vulnerabilities - there have been several upgrades and incremntal releases in the last year to fix serious flaws. As with all software, it has to be kept up to date. The advantage of open software is that the source code is available to large numbers of people interested in finding flaws and fixing them. The disadvantage of open software is that the source code is available to large numbers of people interested in finding flaws and exploiting them... Ok, a bit simplistic, but an element of truth...

[directhex]

RE the symantec study:

1) it counted only acknowledged bugs by the vendor - deny there's a bug, or call it a "feature", and it wasn't included

2) It counted only msie bugs, not windows bugs related to msie - so if there was a horrible windows insecurity than could be exploited via IE, that wasn't counted

[dangel]

Still it's not a horrifically complicated paradigm - more people using product = more exposure of product = more attractive target for people exploiting it.

What's the fuss?

FF is far from perfect - it's always had plenty of bugs.

[unreal]

To be honest I hardly notice any difference between IE, Opera and Firefox in terms of operation. The one thing I have found useful is tabbed browsing, but now its the norm in every browser. They are almost the same to me, so I just use firefox rather than IE6. But now it takes ages to start, and hogs much memory as stated, which is getting up my boobs tbh.

[dangel]

You have boobs? Lay off the estrogen!

[directhex]

hogs much memory as stated, which is getting up my boobs tbh.

it's a memory leak in Flash.

workaround:
about:config in the address bar
right click, new integer key, call it "browser.cache.memory.capacity", make it 60,000 (max amount of ram to use in KB)
restart firefox

[TheAnimus]

The big objection i have to how security is handled with firefox. Proof of concept stuff, THERE IS NO GOD DAMN NEED FOR IT. None at all.

MS do a very good job of keeping the researcher who found the flaw happy enough that they don't need to post about it in depth. This is good. I'm a cracker, i'm going to be giving a few lectuers on the matter (if its not deemed inapropreate). I don't need a howto guide for making my own attack. Its arogance, and stupidity, i've never felt why so many feal the need to get praise from the script kiddies, there not peers, there below that level.

For this reason, i much prefer to run IIS6 instead of apache 2, and IE7 instead of FF.

[rajagra]

I think I speak for everyone, when I say... What???

EDIT> OK, think I understand (& agree) now, thanks Paul